<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/64651>64651</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Functions that forward printf format strings erroneously trigger -Wformat-security
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          pkasting
      </td>
    </tr>
</table>

<pre>
    The following code triggers -Wformat-security on the first call to `f2()`, even though the fact that `f22()` is itself tagged with the format attribute should let the compiler realize that the first arg is a literal at the original callsite:
```
void __attribute__((format(printf, 1, 2))) f2(const char* format, ...);
void __attribute__((format(printf, 1, 2))) f22(const char* format, ...) {
 f2(format);     // Warning (incorrect)
    f2(format, 1);  // No warning (correct)
}

void bar() {
 f22("Test");
}
```

Godbolt repro: https://godbolt.org/z/qeqjP7dr7

Strangely, the second call to `f2()` does not produce a warning, though it is safe or unsafe in exactly the same cases as the first call.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysVE2P4zYM_TXyhRjDluOPHHyY3YF7Kwp0gT0GjE3b2ipSVqInzf76QlLS7KQoemlgODLI9_hIPQm9V4sh6kX9SdRvGW68Wtef_0DPyizZ0U7X_stKMFut7UWZBUY7EbBTy0LOw8vX2boT8ouncXOKr2ANcAAo5xlG1BrYgmiKWQrZCbkXTSHkZ6B3Col2W9aUjyMDr8gp95EMyoNiT3oGxmWhCS6Kb5hYGpDZqePGBH61m55AE8f4aE9npcmBI9TqByX-hzp0S2BH0IrJoYZb1Dq1KIM6yveKSVSvongTxWsQn574-W7VBIfD3wIOhyi7S8KE7M5OGZ5Dv2V4ydBSfCCOY7QmDGlFJ-Qr3FGfIc_zkFZ9-h_K_HcdEO2tUFJ1jwcBEH5CDkIO8BWdCQ4QslNmtM7RGLMSFOAjOmpJFDf8rxYuD4pnAtG-3RaPno9BcPcsMXlDfiHPQsqfB_Xg-LhP6f2LnY5WMzg6OyuqV1iZzz7sbdS3pHBu3SLk8EPI4Tt9__ZbO7n2Z5bf2aFZSF9Di8EtnkZrpn-xOkyWPBjLcHZ22kYCvA8h4eMBUBx86HEO3oPNxJUyQH_iyPqayuCJYERPHtA_HbE8m_pq2ld7zKgvm33Ztbtd1WRrX3VU7Npi38myxrKYUcp5wq4sZF2UbY2Z6mUhq6IrpSyLtmzyFnFfVWWHTdV2dSvFrqATKp1r_X4Kw8mU9xv1za6py0zjkbSP14eUhi4Qg2Fb6rfM9QHzctwWL3aFVp79g4UVa-qHzYysrPHpbM7WXdBNkAx9P-CenTKLB3LOGrKbDyNJN9A_L6Bsc7p_2lnF63bMR3sScggCbn8vZ2e_RQ8OUbYXcoht_RUAAP__q06Urw">